D-Link DI-500WF Stack-Based Buffer Overflow Vulnerability in jhttpd Component

A critical stack-based buffer overflow vulnerability has been identified in the D-Link DI-500WF wireless access point, specifically in the firmware version 17.04.10A1T. The issue arises in the jhttpd component, within the ip_position.asp file. The vulnerability is triggered by the sprintf function, which improperly handles the 'ip' parameter in HTTP GET requests. This lack of input validation allows for the overwriting of stack memory, potentially leading to arbitrary code execution or a device crash.

Impact

Exploitation of this vulnerability can cause a device crash or allow for arbitrary code execution with the privileges of the httpd service, potentially leading to complete device compromise, network infiltration, or the installation of a persistent backdoor.

Reproduction

The vulnerability can be reproduced by authenticating as an admin user and sending a crafted GET request to the ip_position.asp file with a long 'ip' parameter. This can be done using a script that logs into the device and then sends the exploit payload via the vulnerable parameter.